The FTC recently took action against Guidance Software stemming from the company's loss of thousands of customer records stolen through an insecure e-commerce site. The attack and the resulting theft of personal information seem almost banal, given the frequency of massive personal-data breaches. Despite this deluge, the FTC can pursue only a tiny subset of the companies involved. Unfortunately for Guidance, it became the FTC's 14th data-security case. So, how does the FTC choose who to file suit against, and what do the case results mean?
No one outside the FTC knows for sure what attracted it to the Guidance case, but the situation was dripping with irony: Guidance's flagship product, EnCase, has long been the de facto standard for computer forensic investigations among both private and law-enforcement investigators. One marvels at the sheer audacity of hacking the leading forensics software company. For the FTC, however, such musings quickly evolved into a formal case following the compromise that lasted nearly four months at the end of 2005--perhaps a second factor in the FTC's decision to bring the case. Third, the level of security controls was unforgivably low. And finally, Guidance was preparing for an IPO, which has only recently been completed. As if an open investigation by a federal agency weren't enough to focus a company's attention, the need to woo investors and analysts in the lead-up to an IPO guaranteed the FTC an advantageous bargaining position.
Judging by this and past FTC data-security cases, it's safe to say that if the breach involves massive numbers of people and/or a nationally recognized brand name, enforcement is more likely. Rather than trying to figure out if you're a potential target, better to shore up your infosec program surrounding the personally identifiable information (PII) you store.
Although the FTC obviously intends to address a specific case, it is also speaking to the entire industry. By implication, these series of settlement agreements help illuminate what the commission considers acceptable levels of security control.
So how did Guidance's e-commerce site get hacked? According to the FTC's complaint, the system stored both PII and administrative user credential data in unencrypted cleartext, failed to implement vulnerability-assessment procedures and implemented no IDSs. The entry vector was a SQL injection attack, "reasonably foreseeable," according to the FTC, which suggests organizations can't plead ignorance of Web application flaws. The situation qualifies as a security pro's worst nightmare. High level execs' eyes may still glaze over at mention of esoteric-sounding attacks like SQL injection. But the fact that the FTC considers defenses against such attacks to be on par with rudimentary security controls will likely change blasé responses to budget requests for mitigating these security risks.